Re: single value visualization sorting issue

Puvi · ‎11-29-2019

Hi,

i have a query which sorts the results, but when i change it to single value its not getting sorted
can anyone help in this?

woodcock · ‎12-01-2019

The trellis (and other) features will resort your stuff alphabetically so if you need to keep certain things in front, you need to add a series of leading spaces to the value, which will cause them to remain sorted your way but still appear the same when used as a field name, something like this:

| makeresults count=5
| streamstats count
| eval sortmebad=case(count==1, "one", count==2, "two", count==3, "three", count==4, "four", true(), "five")
| eval sortmegood=case(count==1, "    one", count==2, "   two", count==3, "  three", count==4, " four", true(), "five")
| multireport
[ | sort 0 sortmebad | eval sortmegood=null() ]
[ | sort 0 sortmegood | eval sortmebad=null() ]

niketn · ‎12-01-2019

@Puvi is it Single Value with Trellis Layout?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Puvi · ‎12-01-2019

yes it is using trells layout

richgalloway · ‎11-29-2019

What is the query?

---
If this reply helps you, Karma would be appreciated.

single value visualization sorting issue

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation